Referer spoofing
This article needs additional citations for verification. (January 2021) |
In
Overview
Referer spoofing is typically done for
To improve their privacy, individual browser users may replace accurate referer data with inaccurate data, though many simply suppress their browser's sending of any referer data. Sending no referrer information is not technically spoofing, though sometimes also described as such.
In software, systems and networks testing, and sometimes
While many websites are configured to gather referer information and serve different content depending on the referer information obtained, exclusively relying on HTTP referer information for authentication and authorization purposes is not a genuine computer security measure. HTTP referer information is freely alterable and interceptable, and is not a password, though some poorly configured systems treat it as such.
Application
Some websites, especially many image hosting sites, use referer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertisements before directly being able to access a downloadable file – using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use.
If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template,[3] they can use that information combined with this to exploit and gain access to the materials.
Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referer headers. Website owners may do this to disallow
It can also be used to defeat referer checking controls that are used to mitigate
Tools
Several software tools exist to facilitate referer spoofing in web browsers. Some are extensions to popular browsers such as
Other tools include
See also
- Referrer spam – Kind of spamming aimed at search engines
Notes
- ISBN 9781565925090.
- ^ "The HTTPS-Only Standard - Introduction to HTTPS". https.cio.gov. Retrieved 2021-05-01.
- ^ Sieklik, Boris (March 2016). "Evaluation of TFTP DDoS amplification attack". The Cyber Academy, Edinburgh Napier University.